Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PA-6386) Patch/Upgrade Ruby for CVE-2024-27282 #858

Merged
merged 1 commit into from
Jun 4, 2024
Merged

(PA-6386) Patch/Upgrade Ruby for CVE-2024-27282 #858

merged 1 commit into from
Jun 4, 2024

Conversation

shubhamshinde360
Copy link
Contributor

@shubhamshinde360 shubhamshinde360 commented Jun 3, 2024
edited
Loading

  • Patches the ruby 'Use-After-Free' issue for regexp for 7.x (ruby 2.7.8).
  • Upstream fix commit: ruby/ruby@90b194b
  • Bump projects using ruby 3.2.3 to ruby 3.2.4 since 3.2.4 has addressed the CVE.
  • Adjust windows patches for ruby 3.2.4

@shubhamshinde360 shubhamshinde360 requested review from a team as code owners June 3, 2024 13:55
@shubhamshinde360
Copy link
Contributor Author

shubhamshinde360 commented Jun 3, 2024
edited
Loading

Ran the following platforms on the impacted projects for testing:

  1. pe-bolt-server-runtime-main
    el-7-x86_64 ubuntu-22.04-amd64 redhatfips-8-x86_64 sles-15-x86_64

  2. pe-installer-runtime-main
    el-7-x86_64 ubuntu-22.04-amd64 redhatfips-8-x86_64 sles-15-x86_64

  3. pdk-runtime
    debian-11-amd64 el-8-x86_64 fedora-36-x86_64 sles-15-x86_64 ubuntu-22.04-amd64 ubuntu-22.04-aarch64 osx-13-x86_64 osx-13-arm64 windows-2019-x64

  4. agent-runtime-main
    el-7-x86_64 aix-7.2-ppc el-8-ppc64le el-9-aarch64 amazon-2023-aarch64 debian-11-amd64 debian-12-aarch64 fedora-40-x86_64 osx-12-arm64 osx-13-x86_64 redhatfips-8-x86_64 sles-12-x86_64 solaris-11-i386 solaris-11-native-sparc ubuntu-20.04-amd64 ubuntu-22.04-aarch64 windows-2012r2-x64 windows-2012r2-x86 windowsfips-2012r2-x64

  5. agent-runtime-7.x
    el-7-x86_64 aix-7.1-ppc el-8-ppc64le el-9-aarch64 amazon-2023-aarch64 debian-11-amd64 debian-12-aarch64 fedora-40-x86_64 osx-12-arm64 osx-13-x86_64 redhatfips-8-x86_64 sles-12-x86_64 solaris-11-i386 solaris-11-native-sparc ubuntu-20.04-amd64 ubuntu-22.04-aarch64 windows-2012r2-x64 windows-2012r2-x86 windowsfips-2012r2-x64

Everything succeeded.
All of the artifacts can be found at: https://builds.delivery.puppetlabs.net/puppet-runtime/1dce21f58edb147367dcde68fc53c11e07e656ba/artifacts/

@shubhamshinde360 shubhamshinde360 mentioned this pull request Jun 3, 2024
Closed
@shubhamshinde360 shubhamshinde360 force-pushed the PA-6386-patch-and-upgrade-ruby branch from f1f242d to 089fe16 Compare June 3, 2024 18:47
@shubhamshinde360 shubhamshinde360 marked this pull request as draft June 3, 2024 19:17
@shubhamshinde360 shubhamshinde360 force-pushed the PA-6386-patch-and-upgrade-ruby branch from 089fe16 to 934dd66 Compare June 3, 2024 19:51
joshcooper
joshcooper approved these changes Jun 4, 2024
View reviewed changes
Copy link
Contributor

@joshcooper joshcooper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pending the outcome of windows builds

@shubhamshinde360 shubhamshinde360 force-pushed the PA-6386-patch-and-upgrade-ruby branch 3 times, most recently from ab8b000 to bd915f0 Compare June 4, 2024 09:37
@shubhamshinde360
(PA-6386) Patch/Upgrade Ruby for CVE-2024-27282
a687390 
 - Patches the ruby 'Use-After-Free' issue for regexp for 7.x (ruby 2.7.8).
 - Upstream fix commit: ruby/ruby@90b194b
 - Bump projects using ruby 3.2.3 to ruby 3.2.4 since 3.2.4 has addressed the CVE.
 - Adjust windows patches for ruby 3.2.4
@shubhamshinde360 shubhamshinde360 force-pushed the PA-6386-patch-and-upgrade-ruby branch from bd915f0 to a687390 Compare June 4, 2024 10:09
@shubhamshinde360 shubhamshinde360 marked this pull request as ready for review June 4, 2024 13:49
@shubhamshinde360
Copy link
Contributor Author

The windows patching now succeeds.
Tested for projects:

  1. agent-runtime-main
    windows-2012r2-x64 windows-2012r2-x86 windowsfips-2012r2-x64
  2. pdk-runtime
    windows-2019-x64

Since other projects don't support windows and agent-runtime-7.x is not affected by changes made to the patches (ruby-3.2.4)
All the windows build artifacts can be found at: https://builds.delivery.puppetlabs.net/puppet-runtime/a68739048ab72be15f9a31d0c0c57d847394f19d/artifacts/

All linux based artifacts can be found at: https://builds.delivery.puppetlabs.net/puppet-runtime/1dce21f58edb147367dcde68fc53c11e07e656ba/artifacts/

@shubhamshinde360 shubhamshinde360 merged commit 2f23346 into puppetlabs:master Jun 4, 2024
3 checks passed
@joshcooper
Copy link
Contributor

@shubhamshinde360 not a big deal, but for next time, could you check that your commit message(s) contain an empty line between the summary and description? It seems like a very minor nit, but git relies on that to distinguish between the summary and description when outputting git log for example. When it's missing, git prints the entire commit message

❯ git log --oneline | head    
2f23346 Merge pull request #858 from shubhamshinde360/PA-6386-patch-and-upgrade-ruby
a687390 (PA-6386) Patch/Upgrade Ruby for CVE-2024-27282  - Patches the ruby 'Use-After-Free' issue for regexp for 7.x (ruby 2.7.8).  - Upstream fix commit: ruby/ruby@90b194b  - Bump projects using ruby 3.2.3 to ruby 3.2.4 since 3.2.4 has addressed the CVE.  - Adjust windows patches for ruby 3.2.4
80c8c35 Merge pull request #859 from joshcooper/amazon2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshcooper joshcooper joshcooper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shubhamshinde360 @joshcooper